Privilege Escalation, RCE Flaws Patched in Nagios Core

Attackers can chain a couple of serious flaws affecting Nagios Core to gain complete control of systems running vulnerable versions of the product, a researcher has warned.

Nagios Core is a free and open-source alerting and monitoring software for servers, networks and applications. Dawid Golunski of Legal Hackers discovered that the product has two vulnerabilities that can be used for remote code execution and privilege escalation.

The first vulnerability discovered by the expert, CVE-2016-9565, has been described as a remote code execution issue. Golunski noticed that the application’s web interface is affected by a flaw that can be exploited by a man-in-the-middle (MitM) attacker via the RSS feed feature.

According to the researcher, an attacker who can impersonate the RSS feed server – via DNS poisoning, domain hijacking or other techniques – can read and write arbitrary files on the vulnerable server and execute code in the context of a Nagios user.

Once this level of access has been obtained, an attacker can exploit a second weakness discovered by Golunski (CVE-2016-9566) to elevate privileges to root, which can result in the targeted system getting completely compromised.

This second vulnerability exists due to the way the Nagios Core daemon handles log files. An attacker who gains access to the system via CVE-2016-9566 can modify the log file and point it to a malicious file, which results in elevated privileges after a restart of Negios. The researcher pointed out that the attacker can force a restart by using the “SHUTDOWN_PROGRAM” command.

CVE-2016-9565 was initially patched in August with the release of Nagios Core 4.2.0, but the fix turned out to be incomplete. A proper patch was rolled out on October 24 with the release of version 4.2.2. CVE-2016-9566 was resolved earlier this month in Nagios Core 4.2.4. Proof-of-concept (PoC) exploits have been made available for both vulnerabilities.

This is not the first time Golunski has found vulnerabilities that can be chained for a high impact exploit. The expert recently disclosed several MySQL flaws that could have been leveraged to execute arbitrary code with elevated privileges.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.